[245] in linux-announce channel archive
Linux Security Mailing Lists
daemon@ATHENA.MIT.EDU (Lars Wirzenius)
Sat Mar 4 06:58:39 1995
Date: Sat, 4 Mar 1995 12:33:40 +0200
From: Lars Wirzenius <wirzeniu@cc.helsinki.fi>
To: linux-activists@niksula.hut.fi, linux-announce@vger.rutgers.edu
X-Mn-Key: announce
From: okir@monad.swb.de (Olaf Kirch)
Newsgroups: comp.os.linux.announce
Subject: Linux Security Mailing Lists
Organization: Je n'existe pas
Keywords: security mailing lists cert
Approved: linux-announce@tc.cornell.edu (Lars Wirzenius)
Followup-to: comp.os.linux.setup
Linux Security Mailing Lists
Even paranoids have enemies
- anonymous
As most of you will recall, a number of security problems affecting
Linux systems have been discovered in the past, and have been handled
in one way or other. Some of them have been made public along with
information on how to exploit them. For others, fixes have been made
public without revealing the exact path of attack. Yet other problems
have not been publicized at all, trusting that old, insecure versions
of some programs will gradually be replaced by some new version that
does not suffer from these known deficiencies.
So far, only one of these problems has been handled by CERT, namely
the login bug (which also affected one commercial OS). I don't know
if this is due to CERT's reluctance to publish Linux-related information,
or whether they simply haven't been informed.
What we offer to do is set up a similar mechanism for Linux that is
able to distribute security-relevant information to Linux users or
administrators that run a networked Linux box. This would allow them
to plug any holes early on, without having to scan all Linux newsgroups
and mailing lists all of the time.
We have set up two mailing lists for this, one for general announcements
and one for security-related discussions.
linux-security@linux.nrao.edu
This is the discussion list. It is hand-moderated to keep
noise to a minimum. If turnaround time proves to be a problem,
we will gladly accept any suggestions for an alternative concept.
We have also discussed an invite-only list, but found it difficult
to implement, and of questionable benefit. If the majority of
developers, distribution maintainers and site admins think this
would be necessary, we may possibly change our minds.
linux-alert@linux.nrao.edu
This is the announcement list. It is mainly for postings about
security holes, and how to plug them.
If you think you have spotted a security problem, be it with a
specific distribution, application etc, or if you are a developer
and wish to announce a security-related fix to your application, we
will produce an announcement with you and publish it on this list.
Our main objective is to suggest fixes to these problems without
immediately giving away the trick on how to exploit them (if
possible), but intend to do so later when people have had the time
to upgrade their installation.
We expect this list to be very low-volume. Unless people object
to the idea, we could also cross-post all information to other
groups such as comp.os.linux.announce and/or the linux-admin list.
Announcements in this list will be PGP-signed by either Jeff or
Olaf, so you can verify that it is not a spoof attempt.
How to Subscribe
----------------
Both mailing lists are managed using Majordomo. To subscribe yourself,
send a message to majordomo@linux.nrao.edu and put the following commands
in the message body
subscribe linux-security your@mail.address
and/or
subscribe linux-alert your@mail.address
Digested version of both lists are also available (although digesting
may only make sense with the discussion list), they are named linux-alert-
digest and linux-security-digest, respectively.
For more information, send a message to the above address containing the
command `help'.
Obtaining our PGP Public Keys
-----------------------------
You can obtain our PGP public keys by fingering the following addresses:
finger juphoff@linux.nrao.edu for Jeff's Key
finger okir@brewhq.swb.de for Olaf's Key
You can also obtain them by sending a message to pgp-public-keys@pgp.mit.edu
with a subject line of "get juphoff@nrao.edu" and "get okir@monad.swb.de",
respectively.
If you have any suggestions etc., please let us know.
Olaf Kirch <okir@monad.swb.de>
Jeff Uphoff <juphoff@nrao.edu>
--
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember Keywords: and a short description of the software.
